Why Business Associate Agreements matter

Tuesday, July 21, 2015

, –

Formally stated, Business Associate Agreements or BAAs are legal documents required by federal statute that govern the transmission, use and storage of personal health information between covered entities and their business associates. This definition can be enough to give a practice manager a headache, but, if you end your exploration there in favor of your favorite headache remedy, your risk management strategy will not have the benefit of one of the most important risk mitigation tools you possess. So, let's simplify.

When we deal with risk, we really have three options: eliminate it, accept it or transfer it. The BAA is a tool both for risk elimination and transfer. Its potential to eliminate risk is why The U.S. Department of Health and Human Services (HHS) requires BAAs between covered entities (those who are subject to HIPAA regulations) and those who do something with personal health information on their behalf (business associates). The potential for elimination of risk here is not a complicated concept. By forcing covered entities and business associates to think through the uses of PHI that will be present in their relationship and document how they will be handled, BAAs reduce miscommunication or misunderstanding between them.

Outlining responsibilities in a BAA also is an avenue for covered entities to use to transfer risk. For example, if I am a document disposal company that performs disposal services for a medical clinic, that medical clinic expects (or should expect) that my services will not only eliminate the burden of securely disposing of medical documents from its staff, but also will remove the responsibility from the clinic of making sure the document disposal is done properly. Therefore, my document disposal company assumes both the work and the risk. In the context of the previous example, it is easy to see why it is important for covered entities and business associates who handle PHI to enter into BAAs.

The reasons that justify these agreements are the same as those that support standard contracts between businesses. In fact, we recommend that covered entities enter into BAAs with all of their vendors, regardless of whether or not their duties require them to come into contact with PHI. For those vendors who are not supposed to come in contact with PHI, the agreement is simple (and numerous templates for the language exist). In essence, that vendor is not to have PHI, and if they come into contact with it, the covered entity needs to know immediately and the situation must be properly mitigated. For the covered entity, describing the responsibilities of each vendor for PHI leaves much less room for misunderstanding and greatly reduces its risk profile.